Spirit Managed Services is now branded Infotrust.
Cyber Emergency Number:
IT Support Number:
Blog

Key Findings: SydneySEC Panel - Data Retention, Privacy, and Evidence during Adverse Digital Events

Chris Hatfield
July 15, 2026
Home

Let's Get STARTED

Following my recent speaking commitment at SydneySEC about data retention and adverse digital events, I wanted to capture the core message in a short paper for two audiences. For those who attended the session, this is intended to refine and extend the discussion beyond the panel format. For those who were unable to attend, it provides a brief taster of the issues we explored: why data retention and disposal decisions are rarely simple, why context matters as much as content, and why these choices should be made deliberately before an incident, investigation or regulatory inquiry forces the issue. Think of it as the conference version of leftovers: still useful, possibly better the next day, and much safer when properly labelled.

Privacy and information governance are often presented as a simple proposition: keep less data, delete sooner, reduce exposure. As a principle, that is sound. For personal information, The Australian Privacy Principles require organisations to take reasonable steps to protect personal information and to destroy or de-identify it when it is no longer needed for a lawful purpose, subject to legal retention requirements. But not all sensitive organisational data is governed by the Privacy Act. Some information is commercially sensitive, strategically sensitive, legally sensitive, or contextually sensitive because of who created it, who received it, or how it may be interpreted if exposed. Board papers, CEO communications, instant messages, negotiation material, internal investigations, pricing decisions and customer strategy may all cause serious harm even where privacy law is not the central issue. But in practice, adverse digital events expose a harder truth: deletion can reduce exposure, while also removing the evidence needed to understand what happened, assess harm, respond to regulators, and defend decisions later.

The real issue is not whether organisations should remember more or less. It is whether they remember deliberately. Data retention, deletion, access and availability should be treated as risk decisions, not technical defaults. The organisations that struggle most during an incident are rarely those that made a clear, documented choice. They are the ones that discover, under pressure, that critical logs were never enabled, messages expired before they were needed, SaaS data sits behind a vendor process, or evidence exists but cannot be accessed quickly enough to be useful. In other words, “we probably have that somewhere” is not an incident response strategy.

The conflict: exposure versus explainability

The argument for minimisation is compelling. Data that is not held cannot be stolen, misused, over-disclosed or produced unnecessarily. Long retention periods create larger attack surfaces, larger discovery populations and larger privacy consequences if a breach occurs. Those consequences are not limited to personal information. Poorly governed archives, forgotten databases, local copies and unmanaged collaboration platforms can expose commercially sensitive plans, privileged material, executive decision-making, informal commentary or internal disagreement that may be damaging when removed from its original context. Yesterday’s operational convenience can become tomorrow’s regulatory, and reputational, commercial or litigation problem.

But adverse digital events create a competing obligation: explainability. When an incident occurs, organisations need facts and context. A payment record may show that a transaction occurred, but the surrounding emails, approvals, chat messages, endpoint events and access logs may explain why it occurred, whether it was authorised, who knew about it, and whether harm followed. The same is true for commercially sensitive and contextually sensitive material: an instant message, executive email or CEO communication may appear damaging in isolation, while the surrounding chronology may explain intent, escalation, approval or mitigation. A fact without context can mislead. Context without reliable evidence can be dismissed. During a breach, misconduct matter or regulatory inquiry, both fact and context are needed.

This is where retention and disposal become genuinely difficult. Under-retention may make the organisation less attractive to threat actors and reduce the volume of sensitive material available for disclosure or misuse, but it can also impair incident assessment, notification decisions, legal strategy and board reporting. Over-retention may preserve evidentiary value, but it can increase privacy, security, commercial sensitivity, surveillance and access risks. Neither extreme is defensible by default. The defensible position is the one that is proportionate, documented, governed and tested before the incident.

Availability as a missing control

Retention is too often treated as a binary choice: keep the data or delete it. That framing misses the practical control of availability. Data can be retained without being routinely accessible. It can be held in lower-availability environments, subject to strict access controls, approval pathways, logging, legal oversight and defined break-glass procedures. In some circumstances, that model may better balance privacy and evidentiary risk than either permanent deletion or unrestricted operational access.

The distinction matters. If data is always visible, it may invite misuse, unnecessary monitoring or excessive internal access. If data is impossible to retrieve, it may have little forensic or response value. A mature organisation defines what is visible by default, what becomes visible only under defined conditions, who authorises that change, how the decision is recorded, and how quickly the organisation can retrieve and rely on the material when pressure is high.

This issue is especially acute with SaaS platforms, third-party managed systems and collaboration tools. Organisations often assume that if the data exists somewhere, they will be able to access it when required. That assumption is frequently wrong. Retrieval may depend on licence tiers, default retention settings, vendor cooperation, contract terms, audit rights, logging configuration, export capability, export specific costs, and the speed of escalation. In incident response, evidence availability depends on design, not hope. Hope is wonderful in sport, less impressive in a regulator briefing.

Surveillance, proportionality and trust

Modern platforms can log almost everything: sign-ins, file movement, external sharing, device activity, anomalous downloads, unusual attachment patterns and collaboration behaviour. These signals can be extremely valuable for early detection of insider threats, data loss, account compromise and other adverse digital events. They can also create legitimate concerns about workplace surveillance, proportionality and employee trust.

The practical distinction is not capability; it is purpose, notice, governance and use. A spike in external attachments after an employee resigns may be a legitimate risk signal. Acting on that signal becomes more defensible when it is tied to a clear policy, a defined trigger, a proportionate response, restricted access and an auditable decision trail. It becomes harder to defend when monitoring is open-ended, poorly explained, inconsistent with employee expectations, or used for purposes beyond the stated risk objective.

In New South Wales, workplace surveillance also has a specific legal overlay. Computer, camera and tracking surveillance may require advance notice and clear policy settings. More broadly, privacy and employment expectations require organisations to explain what is monitored, when visibility increases, who can access the output, and why the control is necessary. Poorly governed monitoring can undermine trust and may create human and psychosocial consequences. Well-governed monitoring can protect people, customers, systems and the organisation itself.

What organisations should do before the incident

The lesson is not to retain everything. Nor is it to delete aggressively and hope for the best. The lesson is to make retention and disposal decisions through a risk lens before an incident forces the issue. Organisations should know what critical evidence sources exist, what they are used for, how long they are retained, whether they are accessible, who controls them, what legal obligations apply, and how quickly they can be obtained during a crisis. If the first evidence map is drawn on a whiteboard at 11:43 pm during an incident call, the organisation has already made the exercise more exciting than it needed to be.

This is also where I should acknowledge, with the appropriate level of professional shame, that the sales element of the paper has arrived. The good news is that it is not a manufactured one. This is how we are currently supporting clients: An Incident Response Retainers is one practical way to address this proactively. The value is not only rapid access to forensic and cyber expertise after an event, but to build. The greater value is readiness before one occurs. That includes mapping evidence sources, identifying logging gaps, testing access pathways, clarifying vendor escalation, defining break-glass procedures, rehearsing regulatory and board reporting, and helping organisations move from uncertainty to defensible action quickly.

We also help clients navigate complex governance, risk and compliance challenges by turning uncertainty into clearer, contextual information for decision making. To balance retention and disposal risk, we support data retention risk assessments and deliver threat and risk assessments to help clarify what information or data should be kept,

deleted, restricted or made available under defined conditions. These assessments can examine whether retention, deletion, identity and access controls, and if third- or fourth-party dependencies align with expectations, or where mitigation is likely to be most effective. Good outcomes require skilled practitioners who can link business objectives to technical controls, and we use that insight to help them strengthen incident response, business continuity, disaster recovery and related plans. Delivering those outcomes in a way that is auditable, usable and defensible to regulators and other interested parties is inherently complex. Leveraging my ever-expanding Australian dictionary… it takes ‘hard yakka’, but it is time well spent before incidents or regulatory action turns uncertainty into pressure.

Conclusion

Good privacy and information governance design is not about remembering less. It is about remembering deliberately. The organisations best placed to withstand adverse digital events will be those that have already resolved the tension between minimisation and evidence, between monitoring and surveillance, between privacy and commercial sensitivity, and between retention and availability. They will be able to show that their choices were intentional, proportionate and governed. Most importantly, they will not be trying to design their evidence strategy for the first time while the incident is already unfolding. By then, selective memory stops being a clever phrase and starts becoming a very expensive condition.